XEROX WorkCentre
3550
Information Assurance Disclosure Paper
18
Ver. 1.3, March 2011
Page
18 of 32
2.8.2.5.
Port 88, Kerberos
This port is only open when the device is communicating with the Kerberos server to authenticate a user, and is only
used only to authenticate users in conjunction with the Network Scanning feature. To disable this port,
authentication must be disabled, and this is accomplished via the Local User Interface.
This version of software has Kerberos 5.1.1 with DES (Data Encryption Standard) and 64-bit encryption. The Kerberos
code is limited to user authentication, and is used to authenticate a user with a given Kerberos server as a valid user
on the network. Please note that the Kerberos server (a 3rd party device) needs to be set up for each user. Once the
user is authenticated, the Kerberos software has completed its task. This code will not and cannot be used to encrypt
or decrypt documents or other information.
This feature is based on the Kerberos program from the Massachusetts Institute of Technology (MIT). The Kerberos
network authentication protocol is publicly available on the Internet as freeware at
http://web.mit.edu/kerberos/www/. Xerox has determined that there are no export restrictions on this version of the
software. However, there are a few deviations our version of Kerberos takes from the standard Kerberos
implementation from MIT. These deviations are:
1)
The device does not keep a user’s initial authentication and key after the user has been authenticated. In a
standard Kerberos implementation, once a user is authenticated, the device holds onto the authentication for a
programmed timeout (the usual default is 12 hours) or until the user removes it (prior to the timeout period). In
the Xerox implementation, all traces of authentication of the user are removed once they have been
authenticated to the device. The user can send any number of jobs until the user logs off the system, either
manually or through system timeout.
2)
The device ignores clock skew errors. In a standard implementation of Kerberos, authentication tests will fail if a
device clock is 5 minutes (or more) different from the Kerberos server. The reason for this is that given enough
time, someone could reverse engineer the authentication and gain access to the network. With the 5-minute
timeout, the person has just 5 minutes to reverse engineer the authentication and the key before it becomes
invalid. It was determined during the implementation of Kerberos for our device that it would be too difficult for
the user/SA to keep the device clock in sync with the Kerberos server, so the Xerox instantiation of Kerberos has
the clock skew check removed. The disadvantage is that this gives malicious users unlimited time to reverse
engineer the user’s key. However, since this key is only valid to access the Network Scanning features on a
device, possession of this key is of little use for nefarious purposes.
3)
The device ignores much of the information provided by Kerberos for authenticating. For the most part, the
device only pays attention to information that indicates whether authentication has passed. Other information
that the server may return (e.g. what services the user is authenticated for) is ignored or disabled in the Xerox
implementation. This is not an issue since the only service a user is being authenticated for is access to an e-
mail directory. No other network services are accessible from the Local UI.
Xerox has received an opinion from its legal counsel that the device software, including the implementation of a
Kerberos encryption protocol in its network authentication feature, is not subject to encryption restrictions based on
Export Administration Regulations of the United States Bureau of Export Administration (BXA). This means that it
can be exported from the United States to most destinations and purchasers without the need for previous approval
from or notification to BXA. At the time of the opinion, restricted destinations and entities included terrorist-
supporting states (Cuba, Iran, Libya, North Korea, Sudan and Syria), their nationals, and other sanctioned entities
such as persons listed on the Denied Parties List. Xerox provides this information for the convenience of its customers
and not as legal advice. Customers are encouraged to consult with legal counsel to assure their own compliance with
applicable export laws.
2.8.2.6.
Ports 137, 138, 139, NETBIOS
For print jobs, these ports support the submission of files for printing as well as support Network Authentication
through SMB. Port 137 is the standard NetBIOS Name Service port, which is used primarily for WINS. Port 138
supports the CIFS browsing protocol. Port 139 is the standard NetBIOS Session port, which is used for printing. Ports
137, 138 and 139 may be configured in the Properties tab of the device’s web page.
For Network Scanning features, ports 138 and 139 are used for both outbound (i.e. exporting scanned images and
associated data) and inbound functionality (i.e. retrieving Scan Templates). In both instances, these ports are only
open when the files are being stored to the server or templates are being retrieved from the Template Pool. For these
features, SMB protocol is used.
